SOP is an important security concept in browsers. Put simply, SOP allows client-side programming languages, such as JavaScript, only access to resources in the same domain. First picture shows the problem. SOP is very important for internet applications, because you want to prevent, that everybody can access to your services and content. However, this regulation is often unnecessary and obstructive in enterprise environments. Because it's no option to turn down your browser security config, I will show you, how you can solve this problem in different ways.
In my previous post, I explained how you can call a web service from a different domain with jQuery, without getting security issues. This approach is sometimes very useful and easy to implement. But when you can't enhance your services to provide JSONP (or maybe you just refuse to do this), there are some other solutions to handle this problem.
A reverse proxy is a special kind of a web server. This text passage from the official documentation explains very precisely the features:
A reverse proxy (or gateway) appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.
A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.
The last sentence is very important for us to prevent SOP. The following picture shows the enhanced infrastructure.
All systems are in the same domain, so you can call services without getting security issues.
Now i will show you, how you can test the functionality of a reverse proxy on your local PC. I will use Windows 7 as operating system and the windows version of Apache HTTP Server. Before we start, just a short note: If you are going to work with Apache HTTP Server in your company, i recommend to use UNIX/Linux as OS and not Windows. Besides, you will need a system engineer or a web-admin to create a complete environment with a thorough configuration. Important issues are security, load-balancing and caching.
As you can see on this site, you can choose different kind of options for deploying Apache httpd on Windows. We will use the server of Apache Lounge. Go to this site and download the latest version Apache win32 binaries (e.g. httpd-2.4.4-win32.zip).
After downloading, unzip the Apache<version> folder to C:\Apache<version> (that is the ServerRoot in the config). When you unzip to an other location, you have to do some changes in the configuration. For testing, it's better to use C:\Apache<version> (in my example: C:\Apache24).
After that, open your console and go to C:\Apache24\bin and start the httpd.exe. When everything is fine, you should see a console like this.
Now the server is running. The message AH00558 is just a warning. To fix this, go to C:\Apache24\conf and open the httpd.conf file (this is the place, where all important configurations are done). Search for 'ServerName' and remove the hash at the start of line (so it's no longer a comment). For our test, you can choose any kind of name, for exaple:
ServerName www.test.com:80
When you now restart the Server (press Ctrl+C in console and start httpd.exe again), the message should be disappeared.
Open your browser an call http://localhost. You should see a simple "It works!". When you have problems to start your server, make sure that no other service is running under port 80. Besides, be sure that you have installed the Visual C++ 2010 SP1 Redistributable Package x86. You can download it from here. If you want to check an error.log for more information, go to C:\Apache24\logs and open error.txt.
Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. To activate the basic reverse proxy features for HTTP, go to C:\Apache24\conf and open httpd.conf. Remove the hash at LoadModule proxy_module modules/mod_proxy.so and LoadModule proxy_http_module modules/mod_proxy_http.so. Restart your server.
Let's say, we no longer want to call the start page of amazon.com over http://www.amazon.com but over localhost/amazon. Add in your httpd.conf at the end of file this two lines:
ProxyPass /amazon http://www.amazon.com/
ProxyPassReverse /amazon http://www.amazon.com/
Restart your server and go to localhost/amazon. You should see the start page of amazon.com! And that's it!
This was just a tiny and minimal configuration for reverse proxy functionality. For enterprise environments, you will need a lot of more configuration in order to cover all requirements. Some issues of this solution, which can be solved by adding additional modules and configuration, are listed here:
Beside AJP and HTTP, you can use a reverse proxy for other protocols, too. Currently there are modules for AJP, HTTP, CONNECT(for SSL), FastCGI, ftp and SCGI.
An other approach to solve SOP is Cross-origin resource sharing (CORS). This article of mozilla developer network explained very well the characteristics of CORS. Here a little extract:
Cross-site HTTP requests initiated from within scripts have been subject to well-known restrictions, for well-understood security reasons. For example HTTP Requests made using the XMLHttpRequest object were subject to the same-origin policy. In particular, this meant that a web application using XMLHttpRequest could only make HTTP requests to the domain it was loaded from, and not to other domains. Developers expressed the desire to safely evolve capabilities such as XMLHttpRequest to make cross-site requests, for better, safer mash-ups within web applications.
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.
To test this feature, look at the header-data of this service: http://ip.jsontest.com/.
When you call this service with jQuery without JSONP, you will still get an answer (you can test this call right here). This is only possible because of the response header "Access-Control-Allow-Origin".
This solution means, that you don't have to establish an additional server instance in your infrastructure. Instead, you have to enhance your services with HTTP-Headers. There are some ways, how you can achieve this.
When you create simple HTTP-Services with ICF, you can add very easily additional header information. Besides, you can implement this feature in an own HTTP-Handler-Class, which will be added to your Handler-List in SICF.
SERVER->response->set_header_field(
EXPORTING
name = 'Access-Control-Allow-Origin'
value = '*'
).
When you can't configure your Java-Server to add new headers, you can write a simple filter for your web-application to add CORS-Headers.
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CORSFilter implements Filter {
public CORSFilter() {
}
public void init(FilterConfig fConfig) throws ServletException {
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
((HttpServletResponse) response).addHeader(
"Access-Control-Allow-Origin", "*");
chain.doFilter(request, response);
}
}
This is the enhancement for your web.xml.
<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/service/*</url-pattern>
</filter-mapping>
It depends on your server, if it's possible and how easy it is to add custom header-fields. A short interview with your admins should give you more information.
I hope, all this information will help you to get rid of SOP. I wish you success!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.